RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1449728 - LDAP to IPA migration doesn't work in master
Summary: LDAP to IPA migration doesn't work in master
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-10 14:17 UTC by Jakub Hrozek
Modified: 2020-05-02 18:41 UTC (History)
9 users (show)

Fixed In Version: sssd-1.15.2-43.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:06:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4421 0 None None None 2020-05-02 18:41:01 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2017-05-10 14:17:57 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3394

To support PKINIT, we now return PAM_NO_MODULE_DATA when the krb5_child process returns ERR_NO_AUTH_METHOD_AVAILABLE. Previously, we used to return PAM_CRED_ERR which the IPA auth code expects in order to start password migration.
Comment 2 Lukas Slebodnik 2017-06-03 15:38:09 UTC 
master:
* a5e134b22aa27ff6cd66a7ff47089788ebc098a1
Comment 5 Nikhil Dehadrai 2017-06-06 11:06:21 UTC 
IPA version: ipa-server-4.5.0-14.el7.x86_64
SSSD: sssd-1.15.2-43.el7.x86_64

1. Verified that LDAP user after migration is able to authenticate to MASTER.
2. Refer the output below for the test:


:: [   LOG    ] :: Migrate users with hashed passwords
:: [ 06:51:30 ] :: EXECUTING: ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389
:: [  BEGIN   ] :: Running 'echo Secret123 | ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389'
-----------
migrate-ds:
-----------
Migrated:
  user: puser1, puser2
  group: accounting managers, hr managers, qa managers, pd managers, group1, group2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
:: [   PASS   ] :: Command 'echo Secret123 | ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://bkr-hv03-guest26.testrelm.test:389' (Expected 0, got 0)
:: [  BEGIN   ] :: Verify migrated user puser1 does not have a keytab :: actually running 'verifyUserAttr puser1 "Kerberos keys available" False'
:: [ 06:51:32 ] :: Value of Kerberos keys available for user puser1 is as expected: False
:: [   PASS   ] :: Verify migrated user puser1 does not have a keytab (Expected 0, got 0)
:: [  BEGIN   ] :: Verify migrated user puser2 does not have a keytab :: actually running 'verifyUserAttr puser2 "Kerberos keys available" False'
:: [ 06:51:33 ] :: Value of Kerberos keys available for user puser2 is as expected: False
:: [   PASS   ] :: Verify migrated user puser2 does not have a keytab (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'echo Secret123 | kinit admin'
Password for admin: 
:: [   PASS   ] :: Command 'echo Secret123 | kinit admin' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa user-find puser1'
--------------
1 user matched
--------------
  User login: puser1
  Last name: User1
  Home directory: /home/puser1
  Login shell: /bin/bash
  Principal name: puser1
  Principal alias: puser1
  UID: 1001
  GID: 1001
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Command 'ipa user-find puser1' (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'ipa user-find puser2'
--------------
1 user matched
--------------
  User login: puser2
  Last name: User2
  Home directory: /home/puser2
  Login shell: /bin/bash
  Principal name: puser2
  Principal alias: puser2
  UID: 1002
  GID: 1002
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
:: [   PASS   ] :: Command 'ipa user-find puser2' (Expected 0, got 0)
'589519d2-cb87-4bef-bb22-73a0a69ab9a5'
Migrate-users-with-hashed-passwords result: PASS


:: [   LOG    ] :: SSSD password migration with user1
:: [  BEGIN   ] :: Running 'ssh_auth_success puser1 fo0m4nchU ibm-x3650m4-01-vm-04.testrelm.test'
spawn ssh -q -o StrictHostKeyChecking=no -l puser1 ibm-x3650m4-01-vm-04.testrelm.test echo 'login successful'
Password: 
Could not chdir to home directory /home/puser1: No such file or directory
login successful
:: [   PASS   ] :: Authentication successful for puser1, as expected 
:: [   PASS   ] :: Command 'ssh_auth_success puser1 fo0m4nchU ibm-x3650m4-01-vm-04.testrelm.test' (Expected 0, got 0)
:: [  BEGIN   ] :: Verify migrated user puser1 now has a keytab :: actually running 'verifyUserAttr puser1 "Kerberos keys available" True'
:: [ 06:51:40 ] :: Value of Kerberos keys available for user puser1 is as expected: True
:: [   PASS   ] :: Verify migrated user puser1 now has a keytab (Expected 0, got 0)
:: [  BEGIN   ] :: Ensuring that kinit as puser1 worked :: actually running 'klist | grep puser1'
Default principal: puser1
:: [   PASS   ] :: Ensuring that kinit as puser1 worked (Expected 0, got 0)
:: [ 06:51:40 ] :: Running kinit
'7978fd51-eaa6-47a0-893b-c874acbbfbeb'
SSSD-password-migration-with-user1 result: PASS


:: [   LOG    ] :: SSSD password migration user2
:: [  BEGIN   ] :: Running 'ssh_auth_success puser2 Secret123 ibm-x3650m4-01-vm-04.testrelm.test'
spawn ssh -q -o StrictHostKeyChecking=no -l puser2 ibm-x3650m4-01-vm-04.testrelm.test echo 'login successful'
Password: 
Could not chdir to home directory /home/puser2: No such file or directory
login successful
:: [   PASS   ] :: Authentication successful for puser2, as expected 
:: [   PASS   ] :: Command 'ssh_auth_success puser2 Secret123 ibm-x3650m4-01-vm-04.testrelm.test' (Expected 0, got 0)
:: [  BEGIN   ] :: Verify migrated user puser2 now has a keytab :: actually running 'verifyUserAttr puser2 "Kerberos keys available" True'
:: [ 06:51:45 ] :: Value of Kerberos keys available for user puser2 is as expected: True
:: [   PASS   ] :: Verify migrated user puser2 now has a keytab (Expected 0, got 0)
:: [  BEGIN   ] :: Ensuring that kinit as puser2 worked :: actually running 'klist | grep puser2'
Default principal: puser2
:: [   PASS   ] :: Ensuring that kinit as puser2 worked (Expected 0, got 0)
:: [ 06:51:45 ] :: Running kinit
'7c95a237-05a8-4199-aa23-edcdcb796b03'
SSSD-password-migration-user2 result: PASS

Thus on the basis of above observations, marking status of bug to "VERIFIED".
Comment 6 errata-xmlrpc 2017-08-01 09:06:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294
Note You need to log in before you can comment on or make changes to this bug.